Data Espionage Sleuths Aim to Put Chinese Corporations in Court

In recent years, computer security companies and even U.S. government officials have alleged that attackers in China and elsewhere routinely steal company secrets from U.S. corporate computers. But tracing the perpetrators of such breaches and showing which companies may have received the data copied is extremely difficult. Now a startup company, CrowdStrike, has developed tools that it says can track attacks in enough detail for victims to publicly accuse those benefiting. The companies can then take legal action or lobby for international trade sanctions.

That would be a new tactic for U.S. companies, and one that could have significant geopolitical implications. CrowdStrike, like other security companies, says the Chinese military, the People’s Liberation Army—acting on behalf of Chinese companies—is the most prolific infiltrator of U.S. corporate networks. Although the private sector and government are increasingly willing to acknowledge the problem, specific accusations have not yet been made in public, and Washington’s response has been cautious and mostly concerned with national security.

“If we wait for government to solve this problem, we’ll be waiting for a long time,” says Dmitri Alperovitch, CrowdStrike’s cofounder and CTO. “But we can effect a lot of leverage against these groups if we look at where the data goes.”

That requires going a step beyond the type of analysis revealed in a detailed report published by CrowdStrike competitor Mandiant last week. The report grabbed headlines by accusing a particular Chinese army unit of regularly infiltrating U.S. companies (see “Exposé of Chinese Data Thieves Reveals Sloppy Tactics”).

“It’s not the PLA that’s interested in Coca-Cola’s data—there’s another consumer,” says Alperovitch. “It may be state-owned enterprises or a company working closely with the government. You can’t do a lot against the PLA, but you can do a lot against that company.”

CrowdStrike isn’t revealing many details about its technology for fear of helping out attackers. But Alperovitch says that tactics could include using decoys inside a company’s network to deceive attackers into doing things that allow their technology, methods, and communication systems to be reverse-engineered. Other strategies could include directing attackers toward fake versions of valuable data and then watching possible beneficiaries for clues that they saw and acted on it. An approach dubbed “beaconing,” which involves embedding code into data that phones home after it is copied, can also help identify where data ends up, says Alperovitch. The company offers customers a software package called Falcon that can detect attacks, gather data, and help deploy such responses. It also makes computer security and intelligence specialists available to help interpret the data available and advise how a company should proceed.

CrowdStrike has already been working with some U.S. companies and nonprofits, and Alperovitch says it’s gathered strong evidence about companies that have benefited from stolen data. He’s now trying to talk some clients into making a public response such as legal action, but he concedes that the idea causes some nervousness in the boardroom: “A number are thinking hard about it, but they worry about retaliation.” Alperovitch believes that risk could be mitigated if several companies in a particular industry stepped forward together.

Irving Lachow, director of the program on technology and U.S. national security at the Center for a New American Security, a think tank in Washington, D.C., says that many U.S. corporations are ready for new ideas about how to protect themselves because conventional security software isn’t doing the job (see “The Antivirus Era Is Over”). “The level of activity has increased to the point where U.S. companies need to do something different to what they’ve been doing,” he says.

Even so, gathering evidence that ties specific companies to industrial espionage will be a challenge, and Lachow says even strong evidence may not be enough for the U.S. government to impose sanctions. “Sanctions are a government decision, and they have to weigh a number of considerations, economic and political,” he says. Pursuing sanctions for computer-based crime could set a precedent that Washington doesn’t want, he explains. Although the U.S. is not often accused of industrial espionage the way China is, it is known to be home to many developers of criminal malware and a growing military malware industry (see “Welcome to the Malware-Industrial Complex”).

CNAS is a 501(c)3 tax-exempt nonprofit organization. Its research is independent and non-partisan. CNAS does not take institutional positions on policy issues. The views expressed in this report are those of the authors and do not represent the official policy or position of the Department of Defense or the U.S. government.